From c969825c800eaaaa6d5d11b6d1d6dc729c289865 Mon Sep 17 00:00:00 2001
From: Gros Frumos <grosfrumos@macmini.local>
Date: Sat, 21 Mar 2026 07:58:56 +0200
Subject: [PATCH] =?UTF-8?q?nginx:=20=D0=B4=D0=BE=D0=B1=D0=B0=D0=B2=D0=B8?=
 =?UTF-8?q?=D1=82=D1=8C=20security-=D0=B7=D0=B0=D0=B3=D0=BE=D0=BB=D0=BE?=
 =?UTF-8?q?=D0=B2=D0=BA=D0=B8=20(HSTS,=20CSP,=20X-Frame-Options,=20X-Conte?=
 =?UTF-8?q?nt-Type)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Заголовки повторены в location / из-за особенности nginx — дочерний блок
с add_header отменяет наследование родительского server-уровня.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 nginx/baton.conf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/nginx/baton.conf b/nginx/baton.conf
index e148729..8afbf2f 100644
--- a/nginx/baton.conf
+++ b/nginx/baton.conf
@@ -91,9 +91,27 @@ server {
         proxy_connect_timeout 5s;
     }
 
+    # ---------------------------------------------------------------------------
+    # Security headers
+    # IMPORTANT: must be repeated in every location block that uses add_header,
+    # because nginx does not inherit parent add_header when child block defines its own.
+    # ---------------------------------------------------------------------------
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options DENY always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
+
     # Статика фронтенда (SPA)
     location / {
         root       /opt/baton/frontend;
         try_files  $uri /index.html;
+        expires    1h;
+        # Security headers repeated here because add_header in location blocks
+        # overrides parent-level add_header directives (nginx inheritance rule)
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Content-Type-Options nosniff always;
+        add_header X-Frame-Options DENY always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
+        add_header Cache-Control "public" always;
     }
 }